[Pkg-tigervnc-devel] Bug#768369: Acknowledgement ([libjpeg62-turbo] [DOS] Stack smashing)
roucaries bastien
roucaries.bastien+debian at gmail.com
Fri Nov 7 18:47:16 UTC 2014
On Fri, Nov 7, 2014 at 6:36 PM, DRC <dcommander at users.sourceforge.net> wrote:
> I want exactly what I asked for: a way to reproduce this issue. Currently I
> cannot. A backtrace from your machine is not helpful, as it does not tell
> me anything regarding how the library is being used by ImageMagick.
Did you try to compile libjpeg-turbo with -fstack-protector-all ggc
flags. Debian do it and thus detect stack overflow (valgrind is not at
help here).
BTW could you nevertheless get a glimpse at the last backtrace. I but
a watch point on the canary (I tried but because this function is
called a lot of time I may be missing something) using method [1]. It
seems the code that smash the code is at encode_one_block line 543:
kloop(59); kloop(52); kloop(45); kloop(38); kloop(31); kloop(39);
Here dissambling near smashing:
0x00007ffff39cfcdf <+11087>: cmp $0xff,%cl
0x00007ffff39cfce2 <+11090>: je 0x7ffff39d6a2d <encode_mcu_huff+39069>
0x00007ffff39cfce8 <+11096>: mov %r11d,%ecx
0x00007ffff39cfceb <+11099>: movslq %r10d,%r10
0x00007ffff39cfcee <+11102>: add %r11d,%edx
0x00007ffff39cfcf1 <+11105>: shl %cl,%rax
0x00007ffff39cfcf4 <+11108>: mov %r13d,%ecx
0x00007ffff39cfcf7 <+11111>: add %r13d,%edx
0x00007ffff39cfcfa <+11114>: or %r9,%rax
0x00007ffff39cfcfd <+11117>: shl %cl,%rax
0x00007ffff39cfd00 <+11120>: or %r10,%rax
0x00007ffff39cfd03 <+11123>: movswl 0x5a(%r15),%r10d
0x00007ffff39cfd08 <+11128>: test %r10d,%r10d
0x00007ffff39cfd0b <+11131>: je 0x7ffff39d5ae8 <encode_mcu_huff+35160>
0x00007ffff39cfd11 <+11137>: mov %r10d,%r9d
0x00007ffff39cfd14 <+11140>: sar $0x1f,%r9d
0x00007ffff39cfd18 <+11144>: mov %r9d,%ecx
0x00007ffff39cfd1b <+11147>: lea (%r10,%r9,1),%r11d
0x00007ffff39cfd1f <+11151>: xor %r10d,%ecx
0x00007ffff39cfd22 <+11154>: sub %r9d,%ecx
0x00007ffff39cfd25 <+11157>: mov %r11d,0x3c(%rsp)
0x00007ffff39cfd2a <+11162>: xor %r11d,%r11d
0x00007ffff39cfd2d <+11165>: movslq %ecx,%rcx
0x00007ffff39cfd30 <+11168>: movzbl (%r14,%rcx,1),%r13d
0x00007ffff39cfd35 <+11173>: nopl (%rax)
0x00007ffff39cfd38 <+11176>: lea 0x0(%r13,%r11,1),%ecx
0x00007ffff39cfd3d <+11181>: mov %rbx,%r10
0x00007ffff39cfd40 <+11184>: movslq %ecx,%rcx
0x00007ffff39cfd43 <+11187>: movslq (%r8,%rcx,4),%r9
0x00007ffff39cfd47 <+11191>: movsbl 0x400(%r8,%rcx,1),%r11d
0x00007ffff39cfd50 <+11200>: mov %r13d,%ecx
0x00007ffff39cfd53 <+11203>: shl %cl,%r10
0x00007ffff39cfd56 <+11206>: sub $0x1,%r10d
0x00007ffff39cfd5a <+11210>: and 0x3c(%rsp),%r10d
0x00007ffff39cfd5f <+11215>: cmp $0x1f,%edx
0x00007ffff39cfd62 <+11218>: jle 0x7ffff39cfdd8 <encode_mcu_huff+11336>
0x00007ffff39cfd64 <+11220>: lea -0x8(%rdx),%ecx
0x00007ffff39cfd67 <+11223>: mov %rax,%rbp
0x00007ffff39cfd6a <+11226>: shr %cl,%rbp
0x00007ffff39cfd6d <+11229>: mov %rbp,%rcx
0x00007ffff39cfd70 <+11232>: mov %bpl,(%rdi)
0x00007ffff39cfd73 <+11235>: lea 0x1(%rdi),%rbp
0x00007ffff39cfd77 <+11239>: cmp $0xff,%cl
0x00007ffff39cfd7a <+11242>: je 0x7ffff39d6c62 <encode_mcu_huff+39634>
0x00007ffff39cfd80 <+11248>: lea -0x10(%rdx),%ecx
0x00007ffff39cfd83 <+11251>: mov %rax,%rdi
0x00007ffff39cfd86 <+11254>: shr %cl,%rdi
0x00007ffff39cfd89 <+11257>: mov %rdi,%rcx
---Type <return> to continue, or q <return> to quit---
0x00007ffff39cfd8c <+11260>: mov %dil,0x0(%rbp)
=> 0x00007ffff39cfd90 <+11264>: lea 0x1(%rbp),%rdi
0x00007ffff39cfd94 <+11268>: cmp $0xff,%cl
0x00007ffff39cfd97 <+11271>: je 0x7ffff39d6c55 <encode_mcu_huff+39621>
0x00007ffff39cfd9d <+11277>: lea -0x18(%rdx),%ecx
0x00007ffff39cfda0 <+11280>: mov %rax,%rbp
0x00007ffff39cfda3 <+11283>: shr %cl,%rbp
0x00007ffff39cfda6 <+11286>: mov %rbp,%rcx
0x00007ffff39cfda9 <+11289>: mov %bpl,(%rdi)
0x00007ffff39cfdac <+11292>: lea 0x1(%rdi),%rbp
0x00007ffff39cfdb0 <+11296>: cmp $0xff,%cl
0x00007ffff39cfdb3 <+11299>: je 0x7ffff39d6c48 <encode_mcu_huff+39608>
0x00007ffff39cfdb9 <+11305>: sub $0x20,%edx
0x00007ffff39cfdbc <+11308>: mov %rax,%rdi
0x00007ffff39cfdbf <+11311>: mov %edx,%ecx
0x00007ffff39cfdc1 <+11313>: shr %cl,%rdi
0x00007ffff39cfdc4 <+11316>: mov %rdi,%rcx
0x00007ffff39cfdc7 <+11319>: mov %dil,0x0(%rbp)
0x00007ffff39cfdcb <+11323>: lea 0x1(%rbp),%rdi
0x00007ffff39cfdcf <+11327>: cmp $0xff,%cl
0x00007ffff39cfdd2 <+11330>: je 0x7ffff39d6c3b <encode_mcu_huff+39595>
0x00007ffff39cfdd8 <+11336>: mov %r11d,%ecx
0x00007ffff39cfddb <+11339>: movslq %r10d,%r10
0x00007ffff39cfdde <+11342>: add %r11d,%edx
0x00007ffff39cfde1 <+11345>: shl %cl,%rax
0x00007ffff39cfde4 <+11348>: mov %r13d,%ecx
0x00007ffff39cfde7 <+11351>: add %r13d,%edx
0x00007ffff39cfdea <+11354>: or %r9,%rax
0x00007ffff39cfded <+11357>: shl %cl,%rax
0x00007ffff39cfdf0 <+11360>: or %r10,%rax
0x00007ffff39cfdf3 <+11363>: movswl 0x4c(%r15),%r10d
0x00007ffff39cfdf8 <+11368>: test %r10d,%r10d
0x00007ffff39cfdfb <+11371>: je 0x7ffff39d5aa0 <encode_mcu_huff+35088>
0x00007ffff39cfe01 <+11377>: mov %r10d,%r9d
0x00007ffff39cfe04 <+11380>: sar $0x1f,%r9d
0x00007ffff39cfe08 <+11384>: mov %r9d,%ecx
0x00007ffff39cfe0b <+11387>: lea (%r10,%r9,1),%r11d
0x00007ffff39cfe0f <+11391>: xor %r10d,%ecx
0x00007ffff39cfe12 <+11394>: xor %r10d,%r10d
0x00007ffff39cfe15 <+11397>: sub %r9d,%ecx
0x00007ffff39cfe18 <+11400>: mov %r11d,0x3c(%rsp)
0x00007ffff39cfe1d <+11405>: movslq %ecx,%rcx
0x00007ffff39cfe20 <+11408>: movzbl (%r14,%rcx,1),%r13d
0x00007ffff39cfe25 <+11413>: nopl (%rax)
0x00007ffff39cfe28 <+11416>: lea 0x0(%r13,%r10,1),%ecx
0x00007ffff39cfe2d <+11421>: mov %rbx,%r10
0x00007ffff39cfe30 <+11424>: movslq %ecx,%rcx
0x00007ffff39cfe33 <+11427>: movslq (%r8,%rcx,4),%r9
Here full backtrace of stack smashing
(gdb) bt
#0 0x00007ffff39cfd90 in encode_one_block (actbl=0x6462a0,
dctbl=<optimized out>, last_dc_val=<optimized out>,
block=0x7ffff301bbb0, state=0x7fffffff3e40) at jchuff.c:543
#1 encode_mcu_huff (cinfo=0x7fffffff42e0, MCU_data=0x63a450) at jchuff.c:616
#2 0x00007ffff39ca717 in compress_output (cinfo=0x7fffffff42e0,
input_buf=<optimized out>) at jccoefct.c:381
#3 0x00007ffff39ca006 in jpeg_finish_compress (cinfo=0x7fffffff42e0)
at jcapimin.c:183
#4 0x00007ffff3c222d0 in WriteJPEGImage (image_info=0x1fc0ffecc7fe,
image=0x8) at ../../coders/jpeg.c:2810
#5 0x00007ffff79aa1bc in WriteImage (image_info=0x60e530,
image=0x626070) at ../../magick/constitute.c:1114
#6 0x00007ffff79aa87a in WriteImages (image_info=<optimized out>,
images=<optimized out>, filename=<optimized out>, exception=0x604e10)
at ../../magick/constitute.c:1327
#7 0x00007ffff763bc81 in ConvertImageCommand (image_info=0x4, argc=5,
argv=0x604810, metadata=0x1fc0ffecc7fe, exception=0x6462a0) at
../../wand/convert.c:3215
#8 0x00007ffff76a5ee7 in MagickCommandGenesis
(image_info=image_info at entry=0x604f90, command=0x400810
<ConvertImageCommand at plt>, argc=argc at entry=5,
argv=argv at entry=0x7fffffffe118,
metadata=metadata at entry=0x0, exception=exception at entry=0x604e10)
at ../../wand/mogrify.c:168
#9 0x0000000000400887 in ConvertMain (argv=0x7fffffffe118, argc=5) at
../../utilities/convert.c:81
#10 main (argc=5, argv=0x7fffffffe118) at ../../utilities/convert.c:92
(gdb) print *state
$18 = {next_output_byte = 0x645d8e
"SV\355\266\260\220\355\204\311Ĝ\312G\027\215i\342\a", free_in_buffer
= 18, cur = {put_buffer = 10172277107327458490, put_bits = 34,
last_dc_val = {-999,
-13, -8, 0}}, cinfo = 0x7fffffff42e0}
(gdb) list $rip
Undefined convenience variable or function "$rip" not defined.
(gdb) list *$rip
0x7ffff39cfd90 is in encode_mcu_huff (jchuff.c:543).
538 in jchuff.c
(gdb) print *actbl
$19 = {ehufco = {26, 0, 10, 120, 4092, 65516, 65519, 65522, 65525,
65529, 100992517, 117769735, 84346118, 67438344, 118163204, 101123844,
117901064, 4, 27, 506, 65520, 65531, 65530,
84280581, 101057795, 101058054, 84215044, 101254661, 101123333,
84346374, 101057283, 84280838, 117966854, 11, 121, 2044, 65534,
84478214, 84149509, 67569160, 118097409, 101321224,
84280327, 134546693, 50529802, 117900548, 151127305, 101254666,
117900548, 12, 248, 8188, 50595333, 117900291, 33817864, 117965569,
134481157, 67240968, 101188612, 84149765, 117770251,
100993035, 101189383, 134743814, 100992520, 28, 507, 65517,
134874630, 151586307, 67569413, 84280580, 67373064, 101189381,
101058569, 117835270, 168428805, 134678538, 67372552,
117966598, 100992260, 58, 1018, 65523, 117835529, 84215046,
50594307, 67372291, 168495365, 117966599, 117704201, 134678279,
84609030, 117900802, 84346888, 236981504, 67437826, 59, 2045,
65526, 101057797, 100926470, 101124103, 84280580, 134743557,
168495113, 134679307, 117769737, 117967885, 100992517, 202902532,
101320709, 117967109, 122, 4093, 84084748, 134612487,
168364556, 101124619, 84150284, 185009410, 50333974, 84150795,
117769734, 50596107, 168429317, 151456012, 117901067, 118229513, 123,
32756, 65532, 134612742, 151455497, 100926985,
202641417, 151324166, 100992522, 101123847, 202181123, 50333710,
33818118, 84148996, 16974083, 100926723, 249, 32757, 16843266,
83951873, 67372295, 16909317, 33817858, 84148994,
100992003, 67305730, 168100355, 67305990, 16909318, 50529284,
67437059, 33817859, 250, 65518, 134546436, 33882885, 67373831,
50464528, 84083460, 67437572, 50529285, 50462979, 84214788,
117703172, 117900549, 50462724, 33817091, 67437570, 251, 65521,
151257608, 67372295, 67372036, 50660356, 33620483, 33883653, 84083972,
84345604, 50989314, 50595332, 67305987, 117637893,
33620483, 50529283, 508, 65524, 33752068, 84083204, 84148997,
16975364, 84149251...},
ehufsi = "\005\001\004\a\f\020\020\020\020\020\000\000\000\000\000\000\000\003\005\t\020\020\020\000\000\000\000\000\000\000\000\000\000\004\a\v\020",
'\000' <repeats 12 times>, "\004\b\r", '\000' <repeats 13 times>,
"\005\t\020", '\000' <repeats 13 times>, "\006\n\020", '\000' <repeats
13 times>, "\006\v\020", '\000' <repeats 13 times>, "\a\f", '\000'
<repeats 14 times>, "\a\017\020", '\000' <repeats 13 times>, "\b\017",
'\000' <repeats 14 times>, "\b\020", '\000' <repeats 14 times>,
"\b\020", '\000' <repeats 14 times>, "\t\020", '\000' <repeats 14
times>...}
(gdb) print *block
$20 = -591
(gdb) print state->cur.cinfo
There is no member named cinfo.
(gdb) print *(state->cur.cinfo)
There is no member named cinfo.
(gdb) print *(state->cinfo)
$21 = {err = 0x7fffffff4150, mem = 0x621550, progress = 0x0,
client_data = 0x7fffffff4200, is_decompressor = 0, global_state = 101,
dest = 0x63a040, image_width = 1944, image_height = 2592,
input_components = 3, in_color_space = JCS_RGB, input_gamma = 1,
data_precision = 8, num_components = 3, jpeg_color_space = JCS_YCbCr,
comp_info = 0x61c450, quant_tbl_ptrs = {0x61c810,
0x61c8a0, 0x0, 0x0}, dc_huff_tbl_ptrs = {0x61c930, 0x61cb70, 0x0,
0x0}, ac_huff_tbl_ptrs = {0x61ca50, 0x61cc90, 0x0, 0x0}, arith_dc_L =
'\000' <repeats 15 times>,
arith_dc_U = '\001' <repeats 16 times>, arith_ac_K = '\005' <repeats
16 times>, num_scans = 1, scan_info = 0x0, raw_data_in = 0, arith_code
= 0, optimize_coding = 1, CCIR601_sampling = 0,
smoothing_factor = 0, dct_method = JDCT_FLOAT, restart_interval = 0,
restart_in_rows = 0, write_JFIF_header = 1, JFIF_major_version = 1
'\001', JFIF_minor_version = 1 '\001',
density_unit = 1 '\001', X_density = 72, Y_density = 72,
write_Adobe_marker = 0, next_scanline = 2592, progressive_mode = 0,
max_h_samp_factor = 2, max_v_samp_factor = 2,
total_iMCU_rows = 162, comps_in_scan = 3, cur_comp_info = {0x61c450,
0x61c4b0, 0x61c510, 0x0}, MCUs_per_row = 122, MCU_rows_in_scan = 162,
blocks_in_MCU = 6, MCU_membership = {0, 0, 0, 0,
1, 2, 0, 0, 0, 0}, Ss = 0, Se = 63, Ah = 0, Al = 0, master =
0x63a080, main = 0x63a6d0, prep = 0x63a140, coef = 0x63a430, marker =
0x63a840, cconvert = 0x63a0b0, downsample = 0x63a0d0,
fdct = 0x63a1e0, entropy = 0x63a370, script_space = 0x0,
script_space_size = 0}
[1] https://securityblog.redhat.com/2013/10/23/debugging-stack-protector-failures/
>
>
> On 11/7/14 11:26 AM, roucaries bastien wrote:
>>
>> On Fri, Nov 7, 2014 at 4:57 PM, DRC <dcommander at users.sourceforge.net>
>> wrote:
>>>
>>> Happy to fix it, but I need to be able to reproduce it first, using only
>>> libjpeg-turbo. Currently I cannot. I tried running
>>
>>
>> Here a backtrace, do you want to get some argument of the call function ?
>> #0 0x00007ffff7067107 in __GI_raise (sig=sig at entry=6) at
>> ../nptl/sysdeps/unix/sysv/linux/raise.c:56
>> #1 0x00007ffff70684e8 in __GI_abort () at abort.c:89
>> #2 0x00007ffff70a5044 in __libc_message (do_abort=do_abort at entry=2,
>> fmt=fmt at entry=0x7ffff719568b "*** %s ***: %s terminated\n") at
>> ../sysdeps/posix/libc_fatal.c:175
>> #3 0x00007ffff7128137 in __GI___fortify_fail
>> (msg=msg at entry=0x7ffff7195673 "stack smashing detected") at
>> fortify_fail.c:31
>> #4 0x00007ffff7128100 in __stack_chk_fail () at stack_chk_fail.c:28
>> #5 0x00007ffff39d7553 in encode_mcu_huff (cinfo=0x7fffffff42e0,
>> MCU_data=0x63a450) at jchuff.c:641
>> #6 0x00007ffff39ca717 in compress_output (cinfo=0x7fffffff42e0,
>> input_buf=<optimized out>) at jccoefct.c:381
>> #7 0x00007ffff39ca006 in jpeg_finish_compress (cinfo=0x7fffffff42e0)
>> at jcapimin.c:183
>> #8 0x00007ffff3c222d0 in WriteJPEGImage (image_info=0x2c0c,
>> image=0x2c0c) at ../../coders/jpeg.c:2810
>> #9 0x00007ffff79aa1bc in WriteImage (image_info=0x60e530,
>> image=0x626070) at ../../magick/constitute.c:1114
>> #10 0x00007ffff79aa87a in WriteImages (image_info=<optimized out>,
>> images=<optimized out>, filename=<optimized out>, exception=0x604e10)
>> at ../../magick/constitute.c:1327
>> #11 0x00007ffff763bc81 in ConvertImageCommand (image_info=0x4, argc=5,
>> argv=0x604810, metadata=0xffffffffffffffff, exception=0x0) at
>> ../../wand/convert.c:3215
>> #12 0x00007ffff76a5ee7 in MagickCommandGenesis
>> (image_info=image_info at entry=0x604f90, command=0x400810
>> <ConvertImageCommand at plt>, argc=argc at entry=5,
>> argv=argv at entry=0x7fffffffe118,
>> metadata=metadata at entry=0x0, exception=exception at entry=0x604e10)
>> at ../../wand/mogrify.c:168
>> #13 0x0000000000400887 in ConvertMain (argv=0x7fffffffe118, argc=5) at
>> ../../utilities/convert.c:81
>> #14 main (argc=5, argv=0x7fffffffe118) at ../../utilities/convert.c:92
>>
>>>
>>> jpegtran -optimize -rotate 270 003632r270.jpg >out.jpg
>>>
>>> and
>>>
>>> jpegtran -progressive -optimize -rotate 270 003632r270.jpg >out.jpg
>>>
>>> with valgrind, and no issues were detected.
>>>
>>> I also tried the convert command line listed above, and with my
>>> (admittedly
>>> older) version of ImageMagick, no issues were detected. This leads me to
>>> suspect an issue with ImageMagick, not libjpeg-turbo. Furthermore,
>>> Mozilla
>>> bangs on the -optimize switch a tremendous amount, since that switch is
>>> enabled by default in their mozjpeg encoder (mozjpeg is focused on
>>> getting
>>> the absolute best compression ratio possible-- at the expense of like a
>>> 50x
>>> drop in performance-- so they enable progressive & optimize by default,
>>> as
>>> well as include other extensions like jpgcrush and trellis coding that
>>> aren't in libjpeg-turbo.) Furthermore, there is nothing about the
>>> optimized
>>> (multi-pass) Huffman coding feature that is different between
>>> libjpeg-turbo
>>> and libjpeg, so if this is genuinely a bug in libjpeg-turbo, it is likely
>>> to
>>> exist in libjpeg as well. Our optimizations affect only single-pass
>>> Huffman
>>> coding.
>>>
>
More information about the Pkg-tigervnc-devel
mailing list